local waifu
Bring her home

Pick your platform

Try her free for 7 days. No card. Keep her? $20 once.

New: Local Waifu now runs on Windows 10 and 11. The installer brings everything she needs, nothing else to set up. Windows may show a SmartScreen prompt the first time: click More info, then Run anyway.

blog

AI Girlfriend Data Breaches: A Running Tracker

6 min read
In short

Four documented incidents in under two years exposed intimate chats from tens of millions of AI companion users: Muah.AI (1.9M email addresses, 2024), Replika (5 million euro GDPR fine, 2025), Chattee and GiMe Chat (43 million messages, 2025), and Chat & Ask AI (300 million messages, 2026). Every single one was a cloud backend that should not have been reachable. None of them were a problem with the AI.

Four documented incidents in under two years. Tens of millions of people’s intimate conversations. Every single one of them was a cloud backend that should not have been reachable, and not one was a problem with the AI.

I keep this page updated because nobody else is collecting these in one place, and the pattern only becomes obvious when you line them up.

The tracker

DateAppWhat got outSource
Sept/Oct 2024Muah.AI1.9M email addresses plus chat and image promptsMalwarebytes, Have I Been Pwned
Apr 2025Replika (Luka Inc.)5,000,000 euro fine, no age checks, no valid legal basisEDPB
Aug 2025Chattee Chat + GiMe Chat43M messages, 600K+ images and videos, 400K+ usersCybernews
Feb 2026Chat & Ask AI~300M messages from 25M+ usersMalwarebytes

Read the “what got out” column again. Not usernames. Not “some metadata may have been affected”. The conversations.

Muah.AI, 2024: fantasies with your name attached

The short version: 1.9 million email addresses leaked alongside the prompts those accounts had written, including sexual ones. Extortion attempts followed.

This is the one that should have ended the category’s free pass.

The leak paired prompts to email addresses, and per Malwarebytes’ reporting most of those were not throwaway addresses. They were personal accounts, many traceable to a real name and a LinkedIn profile. So the leak did not reveal that a million people use an AI girlfriend app. It revealed what a million specific, findable people asked it for.

The hacker’s own description of the backend, quoted in the coverage, is the part I cannot get out of my head: a handful of open-source projects duct-taped together. Getting in did not take a sophisticated technique.

Reports of extortion attempts against affected users followed.

Replika, 2025: the regulator won and nothing came back

The short version: Italy’s Garante fined Luka Inc. 5 million euros in April 2025 for having no valid legal basis for its processing and no meaningful age verification. Children under 13 were creating accounts.

Per the EDPB’s own summary, the findings were: no valid legal basis for several processing operations including LLM development, no effective age verification at all, and a privacy policy that was English-only, opaque, and factually wrong in places.

Five million euros is a real number. Hold onto what it bought the users, though: nothing. The company kept operating. Nobody’s conversations came back. I wrote a whole piece on why this keeps happening in Why the FTC and GDPR Won’t Save Your AI Chats.

Chattee and GiMe, 2025: 43 million messages, no password

The short version: Cybernews found an unprotected Kafka broker on 28 August 2025 streaming 43 million messages, 600,000+ images and videos, from 400,000+ users of two companion apps. There was no authentication on it.

No hack. No exploit. A researcher looked, and it was open.

Alongside the messages sat IP addresses, device identifiers, and authentication tokens, which is the detail that turns “embarrassing” into “hijackable”. The apps did not store names or emails, which sounds protective until you remember that an IP plus a device ID plus any older breach is usually enough to put a name back on a person.

Chattee alone had 300,000+ downloads, mostly in the US. I go deeper on this one in What 43 Million Leaked Messages Teach You.

Chat & Ask AI, 2026: 300 million messages, public database

The short version: A researcher reported roughly 300 million messages from over 25 million users exposed through a Firebase database left publicly readable. The app has more than 50 million users.

The cause here is almost boring: Firebase security rules left set to public, which means anyone holding the project URL can read the data with no authentication. It is one of the most documented misconfigurations there is.

The exposed data reportedly included entire chat histories, including conversations about illegal activity and requests for help with suicide. Those are the conversations people have when they believe nobody is watching.

The pattern is the whole story

The short version: Not one of these was an AI problem. Every one was somebody else’s server, configured badly, holding your conversation.

Line them up and the root causes are almost comically mundane:

  • Muah.AI: a backend duct-taped together
  • Chattee: a Kafka broker with no authentication
  • Chat & Ask AI: a Firebase database left public
  • Replika: no legal basis and no age check

Not one of these is a story about artificial intelligence. They are stories about ordinary web infrastructure holding extraordinarily intimate data. The AI part worked fine. The part that failed was the part where a company kept your conversation.

And per the security reporting collected above, these are not the only ones. Coverage of the pattern counts roughly 20 documented incidents across AI-powered apps between January 2025 and April 2026, tracing back to the same handful of preventable causes: misconfigured databases, missing security rules, hardcoded keys, exposed cloud backends.

That is not an unlucky category. That is a structural condition of the category.

What can and cannot be breached

Here is the uncomfortable thing about the list above: none of it required the company to be evil. Muah.AI did not sell your fantasies. Someone left the door open.

You cannot fix that by choosing a more trustworthy company, because trustworthiness is not what failed. Competence at cloud configuration is what failed, in four different companies, in under two years.

What you can change is whether there is a database at all.

If the model runs on your own computer and the conversation never leaves it, there is no central store for a researcher to stumble into and no dump for a hacker to sell. This is the entire reason Local Waifu works the way it does: not because I am better at securing servers, but because I do not have your conversations to lose. There is no bucket with your name on it. There is no Kafka broker. The messages are on your disk.

I am not going to pretend that makes you invulnerable. Your own machine can be stolen or infected, and that is a real risk. It is just a completely different one, with defences you actually control, and it does not put you in a dump alongside 400,000 strangers.

If you are using a cloud companion right now

One question, and it is not “do I trust them?”

Ask: if their backend were exposed tomorrow, what would be in it? Then reread the tracker, because that is the question every person in those four rows had a wrong answer to.

If you want the version where the honest answer is “nothing, because it is all on your machine”, that is what I built. 7 days free, no card.

Last updated: 15 July 2026. If you know of a documented incident I have missed, with a source, tell me and I will add it.

Questions people ask

Have AI girlfriend apps actually been breached?

Yes, repeatedly. Muah.AI leaked 1.9 million email addresses tied to sexual chat prompts in 2024. Chattee Chat and GiMe Chat exposed 43 million messages from over 400,000 users in 2025. Chat & Ask AI exposed roughly 300 million messages from 25 million users in early 2026. Replika was fined 5 million euros by Italy's regulator in 2025. These are documented incidents with named sources, not speculation.

What was actually exposed in these leaks?

Not just the fact that you use the app. The actual conversations. Muah.AI's leak tied sexual fantasy prompts to real email addresses, many of them personal accounts traceable to LinkedIn profiles. Chattee's leak included images, videos, IP addresses, device identifiers, and authentication tokens. Extortion attempts followed the Muah.AI breach.

What causes AI companion data breaches?

Almost never the AI. In every documented case it was ordinary cloud misconfiguration: an unprotected Kafka broker in Chattee's case, a public Firebase database in Chat & Ask AI's case, and a backend one hacker described as open-source projects duct-taped together in Muah.AI's case. The common factor is that your conversation was sitting on somebody else's server in the first place.

Can a local AI companion be breached the same way?

Not in the same way, because there is no server holding your conversations. Every incident in this tracker is a failure of a cloud backend that had your data. If the model runs on your own machine and the conversation never leaves it, there is no central database for a researcher to stumble on or a hacker to dump. Your own machine can still be compromised, which is a real but completely different risk with completely different defences.

Did the GDPR fine get Replika users their privacy back?

No. Italy's Garante fined Luka Inc. 5 million euros in April 2025 and the company kept operating. A fine punishes a company. It does not un-leak a conversation, and no regulator has ever handed anyone their intimate chat logs back.

Try her free for 7 days.

No card. Keep her for $20 once, or walk away. Her soul file is yours either way.

Bring her home, try free

Back to the blog